Methods and Systems for Efficient Virtualization of Inline Transparent Computer Networking Devices

ABSTRACT

Network devices that are inserted inline into network links and process in-transit packets may significantly improve their packet-throughput performance by not assigning L3 IP addresses and L2 MAC addresses to their network interfaces and thereby process packets through a logical fast path that bypasses the slow path through the operating system kernel. When virtualizing such Bump-In-The-Wire (BITW) devices for deployment into clouds, the network interfaces must have L3 IP and L2 MAC addresses assigned to them. Thus, packets are processed through the slow path of a virtual BITW device, significantly reducing the performance. By adding new logic to the virtual BITW device and/or configuring proxies, addresses, subnets, and/or routing tables, a virtual BITW device can process packets through the fast path and potentially improve performance accordingly. For example, the virtual BITW device may be configured to enforce a virtual path (comprising the fast path) through the virtual BITW device.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 17/395,120, filed Aug. 5, 2021, which claims priority to U.S.Provisional Patent Application Ser. No. 63/071,174, filed Aug. 27, 2020,each of which is hereby incorporated by reference in its entirety.

BACKGROUND

Transmission Control Protocol/Internet Protocol (TCP/IP) networks, suchas the public Internet, are the basis for the modern information age.The TCP/IP protocol suite enables data communications between endpointhost computers by specifying how data should be packetized, addressed,transmitted, routed, and received. The TCP/IP protocol suite consists offive layers: the physical layer (Layer 1, or L1), the data link layer(L2), the network layer (L3), the transport layer (L4), and theapplication layer. Of particular relevance to the present disclosure arethe Layer 3 (L3) protocols, (e.g., Internet Protocol (IP), such as IPv4and IPv6), which are used by network nodes/hosts such as routers toefficiently direct packets to their destinations (e.g., endpoints/hostcomputers), as well as the Layer 2 (L2) link-layer protocols (e.g.,Ethernet 802.3, Media Access Control (MAC) addressing, AddressResolution Protocol (ARP), Neighbor Discovery Protocol (NDP), etc.),which are used to efficiently transmit packets across the linksconnecting network nodes/hosts.

Many organizations operate private TCP/IP networks to support theirbusiness operations and to provide computer services and resources toother networked organizations and consumers. These private networks areinterconnected by the Internet, which enables different organizations toaccess each other's computer services and resources. These computers areaddressed by, or identified by, IP addresses that are elements of theInternet's public IP address space/set. Private networks are oftenoperated/administrated autonomously from the Internet and use a privateIP address space/set that is distinct from the Internet's public IPaddress space/set, i.e., the intersection is the empty set. Thus, if anorganization operating a private network wants its computers/hosts toaccess or be accessed by Internet hosts, then the organization needs tooperate a network address translation (NAT) gateway located at theboundary between the private network and the Internet. The NAT gatewayfunctions as an interface between the Internet IP address space and theprivate network's IP address space, i.e., the NAT gateway translatesbetween Internet IP addresses and the private network's IP addresses.Thus, if an organization wants to make a host computer connected to itsprivate network accessible/addressable from the Internet, for example acompany web site, then the host computer must be associated with both aprivate IP address and a public IP address. The NAT gateway isconfigured to translate between the host computer's private IP addressand its public IP address. These associations may be static andpermanent or dynamic and ephemeral.

FIG. 1A illustrates an example of a network environment 100 where a(physical, or non-virtual) private network 104 operated/administrated byan enterprise interfaces with a public network 102 (e.g., the Internet).The enterprise may assign private IP addresses, for example from theIPv4 private address space 10.0.0.0/8, to the network interfaces of itshost computers, routers, and/or other devices. An internal routingprotocol (e.g., Open Shortest Path First (OSPF)) may be used by theenterprise to define a routing policy that determines a network path 108between any two private IP addresses associated with the private network104. The enterprise may interface its private network (which may use aprivate IP address space) with the Internet (which may use a public IPaddress space) via a network address translation (NAT) gateway (NAT-G/W)120. The NAT gateway function may be included in one or more networkedge devices such as network firewalls and edge routers, which are notshown in the diagram. The NAT-G/W 120 may translate public Internet IPaddresses assigned to the enterprise to private IP addresses. This way,internal hosts connected to the private network may be able tocommunicate with Internet hosts, and vice versa. For example, theenterprise's Internet Service Provider (ISP) may provision a publicInternet (IPv4) address block (e.g., 174.129.20.0/24) to the enterprise.The enterprise may assign, for example, the address block174.129.20.0/24 to an Internet-facing network interface N1 121 of itsNAT-G/W 120 and, for example, the private IP address 10.0.1.1 to aprivate network-facing network interface N2 122 of NAT-G/W 120.

The enterprise may also configure NAT-G/W 120 to map a public IP address(e.g., 174.129.20.63) to a private IP address (e.g., 10.0.2.157)assigned to a (physical, or non-virtual) computer 160. Thus, computer160's public IP address in this example would be 174.129.20.63. Therouting policy and associated configuration for the private network 104may determine the path 108 through the private network 104 for packetssourced by or destined for computer 160 that pass through the NAT-G/W120 (i.e., packets destined for or sourced by Internet hosts). Path 108may be, for example, a single physical link/cable connecting a networkinterface of NAT-G/W 120 to a network interface of computer 160 or, forexample, multiple physical links connecting one or more routers and/orswitches (nodes) that are on the network path. With this configuration,for example, a computer HOST-0 110 connected to the public network 102may communicate bi-directionally with computer 160 connected to theprivate network 104 via transmission of L3/IP packets through theInternet with 174.129.20.63 as the source or destination IP address.

The enterprise may deploy intermediary devices that are inserted inlineinto physical links (e.g., copper and optical cables) connecting networkinterfaces of network nodes (e.g., routers, switches, host computers,etc.) and that may inspect and process in-transit packets in accordancewith the packets' contents and/or with the application logic of theintermediary device. As such, these devices may be referred to asin-transit packet-processing devices. These intermediarypacket-processing devices may enforce data communications policies(e.g., network security policies, network access control policies,network application usage policies, network address translationpolicies, etc.) as defined by the owner/operator/administrator (e.g.,the enterprise) of the private network. In order to enforce the policieson particular communications, the network administrator may coordinatethe locations of the intermediary packet-processing devices (e.g.,determine into which links the intermediary packet-processing devicesare to be inserted), the network configurations, and/or the routingpolicies such that the particular communications' packets always passthrough (in one or both directions) the intermediary packet-processingdevices. Because these policies may be applied to communications betweeninternal hosts (connected to the private network, e.g. computer 160) andpublic network (e.g., Internet) hosts, the devices may be located at ornear the boundaries between the private network and the public network,for example, the devices may be inserted into public network accesslinks. Examples of these devices include network firewalls, networkaccess controllers, web proxies, TLS proxies, packet security gateways,threat intelligence gateways, IPsec gateways, and the like. Similarly,the devices may be located between the boundaries of any differentnetworks (for example, not just limited to between a private network anda public network) and/or between the boundaries of subnets and/orsegments within a network, e.g., at concentrations points and loaddistribution points.

Referring to FIG. 1B: When configuring an intermediary packet-processingnetwork device C 140 for inline operation/insertion in a link on a path108 between two network elements A (e.g., NAT-G/W 120) and B (e.g.,computer 160), a physical link (e.g., a copper or optical cable, and/ora physical wireless connection) that may compose all or a portion ofpath 108 may be physically segmented into two links, with one linkconnecting a network interface port of element A with a networkinterface port C1 141 of the device C 140, and with the other linkconnecting a network interface port of element B with a networkinterface port C2 142 of the device C 140. Network interfaces C1 and C2of device C may be connected by an internal logical link defined by thedevice's application logic (e.g., packet filtering and/or associatedpolicy enforcement logic). For example, an in-transit packet thatingresses C1 (or C2) may be processed by device C's application logicand then, provided that the logic decides not to drop the packet, thepacket may egress device C via C2 (or C1).

In some scenarios, the network devices' network interfaces may haveL3/network-layer (e.g., IPv4) and L2/link-layer (e.g., MAC) addressesassociated with them. In such examples, the interfaces and devices aredescribed as being non-transparent. Non-transparent devices may haveinterfaces that may be addressed directly and may participate indetermining (L3) routing policy and configurations via routing protocols(e.g., OSPF) and (L2) switching & forwarding and link-layer discoveryprotocols (e.g., ARP, NDP). With regard to enforcing communicationspolicies, for example, to enforce web usage and web security policies,the enterprise may configure its networks (e.g., private network 104),devices, and applications such that certain (or all) outbound web (i.e.,HTTP/HTTPS) traffic must be routed through a non-transparent web proxy,and/or that the network firewall only allows outbound web traffic fromthe non-transparent web proxy. Such a configuration may involve the webproxy's network interfaces being assigned/identified with (L3) IPaddresses. More generally, when network administrators define networkcommunications policies that require that particular communicationsroute through packet processing devices with IP-addressable networkinterfaces, the administrators must ensure that the network and routingpolicy/routing tables are properly configured to satisfy therequirement. Changes to the network and/or the routing policy maypotentially cause changes in the routing such that the requirement isnot satisfied; thus, when making such changes, administrators may needto take actions to ensure such requirements are still satisfied.

In other scenarios, the network devices may not have L3/network-layer(e.g., IPv4, IPv6) and L2/link-layer (e.g., MAC) addresses associatedwith them. This configuration may be used in, e.g., inline networkdevices that process in-transit packets, for example, packet-filteringdevices. In such examples, the interfaces and devices are described asbeing (L3- and L2-) transparent, because the devices cannot be “seen” orobserved by other network elements and protocols operating at L3 or L2.Skilled artisans may refer to such a transparent inline device as a“bump in the wire” (BITW), one reason being that frames/packetstransiting through a BITW device are not modified at L2 or L3 (e.g.,there are no changes made to MAC addresses or IP addresses or otherheader fields), and often are not modified at any layer.

There are multiple potential advantages and potential efficienciesresulting from this transparency configuration of a BITW device. Forexample, performance (as measured by the device's packet throughput) maybe improved for multiple reasons. One reason is that egressingframes/packets may not need to access routing and forwarding tables, forexample via a call to the operating system (OS) kernel, to determine,for example, the destination MAC address for the L2 frame. Anotherreason is that non-transparent packet-processing devices may use therelatively slow TCP/IP networking stack logic provided by the devices'OS (e.g., Linux) kernel to process in-transit packets and participate inL3 routing and L2 switching/forwarding protocols; whereas, transparentdevices may bypass the OS kernel's TCP/IP networking stack and use muchfaster packet processing logic that directly accesses the networkinterface controllers (NICs), for example, the Data Plane DevelopmentKit (DPDK). Fast packet processing logic modules such as DPDK may notnatively support functions that alter L3/IP packet headers (e.g., proxyfunctions that change packets' source or destination IP address values)or L2/Ethernet frames (e.g., link forwarding functions that changesource or destination MAC address values). If such functions are neededfor a particular application, then the application may access them via,for example, calls to the OS' TCP/IP networking stack; however, thisapproach may affect the application's packet processing performance.

Skilled artisans often refer to an OS bypass architecture/implementationas a “fast path” (vs. the “slow path” through the OS kernel) and mayassume that the associated BITW device adds minimal latency and does notdrop packets (because of, for example, buffer overflows resulting fromlarge latencies). As with non-transparent devices, when networkadministrators define network communications policies that require thatparticular communications transit through such transparent devices, thenthe administrators must ensure that the network and routing policy areproperly configured to satisfy the requirement. But, because thetransparent devices' network interfaces do not have IP addresses,administrators cannot use routing policy to direct particular packets tothe interfaces, but instead must use indirect methods to ensure thatrequirements are met. Accordingly, and similar to the non-transparentdevice case, changes to the network and/or the routing policy maypotentially cause changes in the routing such that the requirement isnot satisfied; thus, when making such changes, administrators may needto take actions to ensure such requirements are still satisfied, whichmay be more difficult to effect than the non-transparent case (because,for example, only indirect vs. direct routing methods can be used).

The efficiencies of cloud computing platforms and services (e.g., AmazonWeb Services, Microsoft Azure, Google Cloud, etc.) have caused manyorganizations to migrate, or virtualize, portions of their physicalprivate networks into virtual private clouds. When provisioning inlinenetwork devices, for example inline packet-filtering devices, in avirtual private cloud environment using a service such as Amazon VirtualPrivate Cloud (VPC), the devices' network interfaces must be assigned(private) IP addresses, and the devices' network interfaces can nolonger be transparent. Whereas a connection to a physical device'snetwork interface port may be made with a physical connection, forexample, an Ethernet cable, no such physical connection is possible in avirtual environment. When mapping such physical connections to a virtualcloud environment, the connections must be emulated/virtualized via L3routing and the associated routing policy.

FIG. 2A illustrates an example network environment 200 where a virtualprivate cloud 204—which has, for example, been configured by anenterprise on top of an Infrastructure-as-a-Service (IaaS) platform,which may be hosted by the enterprise itself or hosted by an IaaSprovider (e.g., Amazon, Microsoft, Google, etc.)—interfaces to thepublic network 102. Virtual private cloud 204 may be a virtualizedversion of physical private network 104 in FIG. 1A. A virtual NAT-G/W220 function, which may be supplied/provisioned by the IaaS platform,may map public addresses (e.g., Internet addresses), for example174.129.20.63, to private IP addresses of virtual computers, such as10.0.2.157 for virtual computer 260.

The routing protocol and associated routing policy may also determinethe network path between virtual NAT-G/W 220 and virtual computer 260,which is represented in FIG. 2A by virtual path 208. The routingprotocols and policies for the virtual private cloud may beadministrated by the IaaS platform supplier, for example an IaaSprovider, and not necessarily by the platform subscriber (e.g., theenterprise). Routing protocols and policies may differ between differentIaaS providers; furthermore, IaaS providers may not expose the controlof the routing protocols and policies to the subscribers/enterprisesthat use the IaaS providers' virtual private cloud platforms. Thus, forexample, if an enterprise requires that particular packets traverse aparticular path or subpath or link through a virtual private cloud, thenthe enterprise must configure the IP addresses of the cloud's elementsand configure the private cloud in such a way that a particular pathwill be traversed by particular packets, for example, by configuringsubnets and by modifying the cloud's route tables (which IaaS providersexpose). Because the enterprise may not control the routing policy,ensuring that such requirements are met may be difficult andproblematic, especially when the private cloud is dynamic, e.g., whenchanges are frequently made to the private cloud that modify the routingconfigurations (which may be likely because one of the potentialadvantages of clouds is that changes to the network, for exampledynamically adding or removing servers because of dynamic changes inloading, may be much more efficient to implement compared to physicalnetworks).

SUMMARY

The following several paragraphs present a simplified summary in orderto provide a basic understanding of some aspects of the disclosure. Theyare intended neither to identify key or critical elements of thedisclosure nor to delineate the scope of the disclosure. The followingseveral paragraphs merely present some concepts of the disclosure in asimplified form as a prelude to the description below.

In view of the Background discussion above, there is a need for methods,systems, and logic that support virtualization of transparent physicalBITW network devices and/or provisioning of the devices into dynamicvirtual private cloud environments. There is further a need for this tobe done in a way that may (a) preserve fast path packet processing andassociated packet-throughput performance, (b) enforce policies forensuring that packets comprising particular/specified communicationstraverse virtual paths that pass through the virtualized BITW devices,and/or (c) be invariant to differences in routing policies acrossdifferent virtual private cloud platforms.

Aspects described herein generally relate to computer hardware andsoftware for TCP/IP networking, and related methods thereof. Forexample, one or more non-limiting aspects of the disclosure generallyrelate to networking devices that mediate packetized data transmissionin a computer network.

For example, methods, devices, systems, and/or computer-readable mediadisclosed herein describe examples of logic and configurations that maysupport (1a) efficient virtualization of inline transparent physicalin-transit packet-processing network devices and/or (1b) efficientdeployment into a virtual private cloud environment; and/or that may(2a) preserve the devices' packet-processing performance and/or (2b)enforce enterprise communications policies that some or all packetscomprising communications between one or more Internet hosts and one ormore virtual hosts connected to the virtual private cloud traverse avirtual path that includes a virtual link between a virtualbump-in-the-wire (BITW) device's network interfaces. These propertiesand characteristics may be invariant to differences or changes inrouting policies that may occur across different virtual private cloudplatforms. As a matter of convenience, the term “Virtual BITW device”may be used herein to label virtualized versions of physical BITWdevices, e.g., inline transparent in-transit fast-path packet-processingphysical network devices that have been virtualized and deployed into acloud.

When virtualized and provisioned into the cloud, these virtual BITWdevices' network interfaces may be assigned (L3) private IP addressesand (L2) MAC addresses that are associated with the devices' efficientNetwork Address Mapper (NAM) logic and the cloud's routing tables toeffect desired L3 proxy functions and L3/L2 routing and forwardingfunctions. The virtualized devices may process in-transit packets usingthe same or similar fast path packet processing (FPPP) logic (e.g., DataPlane Development Kit (DPDK)) used by the physical versions of the BITWdevices while bypassing the slow path operating system's TCP/IPnetworking stack logic.

A virtual host computer connected to a virtual private cloud may beidentified by its (private) IP address and may be associated with apolicy that certain, or all, in-transit packets comprisingcommunications between the virtual host computer and Internet hosts mustpass through a virtual BITW device deployed into a virtual path in thecloud between the virtual host computer and the cloud's Internetinterface, for example, a network address translation (NAT) gateway. TheIP addresses and associated subnets of the virtual BITW device, virtualhost computer, and NAT gateway may be configured such thatcommunications between the Internet and the virtual host computertraverse the virtual path and pass through the virtual BITW device. AnInternet-facing network interface of the virtual BITW device may beidentified as an IP address proxy for the virtual host computer. A NATgateway that interfaces the Internet with the private cloud and thatnatively translates between the virtual host computer's Internet addressand its private IP address may be re-configured to translate the virtualhost computer's Internet address to the proxy address. Packets sourcedby an Internet host and destined for the virtual host computer may berouted (by the cloud) from the NAT gateway to the proxy networkinterface of the virtual BITW device. After receiving a packet at theproxy interface, the device's NAM logic may modify the packet's L3destination address and L2 MAC addresses so that, after the deviceprocesses the packet through the fast-path logic and forwards the packetout the device's virtual host-facing network interface, the packet isrouted to the virtual host computer. Similarly, packets sourced by thevirtual host computer and destined for an Internet host may be routed toand received by the device's virtual host-facing network interface,modified by the NAM logic, processed through the device's fast pathlogic, forwarded out the proxy interface, and routed to the NAT gateway,which may perform an address translation and forward the packet towardsthe Internet host.

Further aspects disclosed herein are directed to configuring a virtualBITW device to process packets through a fast path of the virtual BITWdevice.

Further aspects disclosed herein are directed to configuring a proxy, anaddress, a subnet, and/or a routing table of a virtual BITW device toensure that packets traverse a virtual path through a cloud, wherein thevirtual path comprises a fast path through the virtual BITW device.

Further aspects disclosed herein are directed to provisioning a virtualBITW device into a virtual path; assigning IP addresses to networkinterfaces corresponding to subnets of virtual path terminals;configuring NAM logic (1) with IP and/or MAC addresses of terminalsand/or interfaces, and/or (2) with proxy information; configuring a NATgateway to translate at least one public IP address to a private IPaddress associated with the virtual BITW device; and providing at leastone cloud routing table configured to enforce outbound virtual pathrouting through the virtual BITW device and the NAT gateway.

There are many possible variants and extensions to the above aspects,including for example the case of multiple virtual host computers, someof which are detailed below by way of example.

Features of the disclosure will become more apparent upon a review ofthis disclosure in its entirety, including the drawings providedherewith.

BRIEF DESCRIPTION OF THE DRAWINGS

Some features herein are illustrated by way of example, and not by wayof limitation, in the figures of the accompanying drawings, in whichlike reference numerals refer to similar elements, and wherein:

FIGS. 1A and 1B depict illustrative network environments for physicalprivate networks including physical inline BITW devices;

FIGS. 2A and 2B depict illustrative network environments for virtualprivate clouds including virtual BITW devices;

FIG. 3 shows an example block diagram of a process of provisioning,configuring, and operating a virtual BITW device in a private cloud;

FIG. 4 shows an example architecture of a virtual BITW device;

FIG. 5 shows an example ladder diagram of packet communications betweenan Internet host and a private cloud-connected virtual host computerthat passes through a virtual BITW device.

FIG. 6 shows an example computing device that may be used to implementany of the devices, systems, and method described herein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the disclosure. In addition, reference is made to particularapplications, protocols, and embodiments in which aspects of thedisclosure may be practiced. It is to be understood that otherapplications, protocols, and embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the disclosure. It is to be understood that although thedescriptions, figures, and examples reference the IPv4 protocol, theIPv6 protocol and other protocols may be similarly referenced.

Various connections between elements are discussed in the followingdescription. These connections are general and, unless specifiedotherwise, may be direct or indirect, wired or wireless, physical orlogical (e.g., virtual or software-defined), in any combination. In thisrespect, the specification is not intended to be limiting.

As shown in FIG. 2B, when a subscribing enterprise, or other entity suchas a private cloud operator, inserts a virtualized version of a physicalBITW device C 240 (a virtual BITW) in the virtual path 208 in order toprocess in-transit packets, device C's network interfaces C1 241 and C2242 may have (L3) IP addresses assigned to them so that the underlyingprivate cloud platform not only recognizes the device but also canpotentially route packets through the device. However, if the enterprisedefines a policy that, for example, requires that all packets comprisingcommunications between computer 260 and any Internet hosts pass throughdevice C 240, the enterprise may not be able to directly enforce thepolicy because it may not control the routing. For example, the routingprotocol may decide that the best path (not shown in FIG. 2B) betweenNAT-G/W 220 and computer 260 does not pass through device C 240. Theenterprise may take measures to possibly guide the routing protocol toroute particular packets through device C 240; for example, theenterprise may require that interface C1's and interface C2's respectiveIP addresses be associated with different, non-overlapping subnets toincrease the likelihood of the desired routing. For example, in FIG. 2B,interface C1 may be assigned 10.0.1.6 in subnet 10.0.1.0/24, whereasinterface C2 may be assigned 10.0.2.7 in subnet 10.0.2.0/24, which doesnot overlap with interface C1's associated subnet. Such actions,however, do not guarantee the desired routing, because there may be, forexample, a path (not shown in FIG. 2B) between subnet 10.0.1.0/24 andsubnet 10.0.2.0/24 that bypasses device C or, for example, the routingmay cause packets to route in the wrong direction through device C.Furthermore, even when the routing through device C 240 appears to beworking as desired/required, any further changes to the network, e.g.adding, removing, and/or modifying servers, subnets, IP addresses, etc.,may cause a reconfiguration of the routing such that the routing ofpackets through device C 240 no longer meets the enterprise's desiredrequirements.

One approach to supporting IP address and MAC address assignment tonetwork interfaces of (transparent physical) BITW network devices—sothat the devices may be virtualized and provisioned into IaaS providers'virtual private clouds and may participate in L3 routing and L2forwarding—is to revert to using the device OS's (slow path) TCP/IPnetwork stack logic to process in-transit packets and toconfigure/determine routing and forwarding information. Thus, thepacket-throughput performance gains enabled by transparency andassociated fast path packet processing logic in a physical BITW devicemay be sacrificed to support virtualization of the device. Using theOS's TCP/IP network stack logic, however, may cause local routing andforwarding information to be automatically configured by the cloudplatform's routing and switching protocols; but, as noted above, thisdoes not necessarily enforce any packet routing policies/requirementsfor the cloud and may cause further performance reductions.

As will be described below, the following correlated components may beprovided in support of a virtual BITW: (1) a cloud configurationcomponent that may coordinate addressing (e.g., IP and MAC addressing),address translation, proxying, subnetting, and/or routing; and (2) aNetwork Address Mapper (NAM) logic component that may be inserted (e.g.,shimmed) in the Virtual BITW device system such as between the FPPP'snetwork interface controller (NIC) drivers and the FPPP's core packetprocessing logic that may efficiently map L3/IP addresses and L2/MACaddresses of ingressing and/or egressing L3/L2 packets/frames to valuesthat may cause them to be routed/forwarded to intended destinationsalong a virtual path.

Referring to FIG. 3, consider first an example cloud configurationcomponent that may be comprised of any of the following interrelatedsubcomponents:

Configuring the virtual BITW device and associated subnets into avirtual path;

Configuring the NAT gateway and associated proxying; and

Configuring cloud route tables.

Note that the configuration of the subcomponents may be performed in thecontext of and in coordination with the private cloud provider'sinfrastructure, which may automatically and/or transparently performfunctions such as routing and route table generation, MAC addressgeneration and assignment, etc., the operations of which are not shownor described. Note also that the described examples/scenarios are forthe simple case of an inline virtual BITW device 240 intermediatingbetween a single virtual host computer (e.g., computer 260), a singleInternet gateway (e.g. NAT-G/W 220), and a single Internet host (e.g.,HOST-0 110). The methods and systems of the disclosure described hereinare readily extended by skilled artisans to more complex scenarios withmultiple virtual hosts, Internet hosts, gateways, and virtual BITWdevices.

In FIG. 2A, which represents an example environment before a virtualBITW device has been deployed, the NAT-G/W 220 may be configured totranslate between public IP addresses associated with public network 102(e.g., the public Internet) and private IP addresses associated with avirtual private cloud 204. For example, virtual computer 260 may beassociated with the public IP address 174.129.20.63 and with the privateIP address 10.0.2.157. Thus, in FIG. 2A, NAT-G/W 220 is depicted astranslating 174.129.20.63 to/from 10.0.2.157. The cloud platformprovider's (e.g., IaaS provider's) routing system may determine a(bi-directional) path 208 through the virtual private cloud 104 betweennetwork interface N2 222 (with IP address 10.0.1.1) of the NAT-G/W 220and Computer 260 (with IP address 10.0.2.157). The IP addresses 10.0.1.1and 10.0.2.157 and associated network interfaces represent the terminalsof path 208.

Referring to FIG. 3, in Step 3-1, the virtual BITW device may beprovisioned, configured, and deployed into a virtual path. Each terminalof the virtual path may be exclusively associated with a subnet and witha network interface of the virtual BITW device. Each such networkinterface of the virtual BITW device may be assigned an IP address thatis in the same subnet as its associated path terminal. The virtual BITWdevice's NAM logic may be configured with IP addresses and MAC addressesof the virtual path's terminals and of the device's network interfaces.The NAM logic may be configured with information to map packets receivedby the virtual BITW device's proxy interface to the virtual hostcomputer(s), or virtual path terminal(s), that are being proxied.

For example, referring to FIG. 2B, when deploying a virtual BITW deviceC 240 inline into path 208, the network interface C1 241 may beconfigured with an IP address, for example 10.0.1.6, that is in the samesubnet, for example a /24 subnet, as NAT-G/W 220's network interface N2222, which has an IP address 10.0.1.1, and which is one terminal of path208. C1 241 may be designated as the proxy interface, i.e., C1 241 withIP address 10.0.1.6 may serve as the IP address proxy for virtualcomputer 260 (with IP address 10.0.2.157). As a matter of convenience,virtual host computer(s) that are being proxied by a virtual BITWdevice's network interface may be referred to as “target(s)”. The NAMlogic may be configured with this proxy information, which may be usedby the NAM logic to map/modify in-transit L3 packets' IP address fieldvalues of 10.0.1.6 to 10.0.2.157. Concurrently, the network interface C2242 may be configured with an IP address, for example 10.0.2.7, that isin the same subnet, for example a /24 subnet, as target virtual computer260 (with IP address 10.0.2.157, the other terminal of path 208), butwhere the subnet containing C2 is different than and non-overlappingwith the subnet containing C1. After the network interfaces have beenassigned IP addresses, the cloud platform may generate and assign MACaddresses to the interfaces, and update the cloud's routing tables(using, for example, OSPF and ARP) to incorporate/integrate the newlydeployed virtual BITW device 240 into the cloud's routing configuration.The cloud platform may create and maintain routing tables associatedwith each network interface in the cloud, which may determine routesbetween the network interfaces. After the routing tables have beenupdated, the NAM logic may extract from the routing tables andnetworking stack any of the following information: the IP and MACaddress of the target virtual computer 260; the IP and MAC address ofthe C1 241 interface (e.g., the proxy for the target virtual computer260); and/or the MAC address of the NAT-G/W 220 gateway's networkinterface that is in the same subnet as C1 241. As described furtherbelow, this information may be used by the NAM logic to help ensure thatcertain (or all) packets comprising communications between Internethosts and target virtual computer 260 pass through the virtual BITWdevice 240. This information also may be used to efficiently accessrouting and forwarding information in accordance with fast-path packetprocessing, which otherwise may be accessed via the slow-path (i.e., theOS's TCP/IP networking stack).

Referring to FIG. 3, in Step 3-2, the NAT gateway that interfaces theprivate cloud 204 with the public network 102 by translating between thepublic (e.g., Internet) IP addresses and private (e.g., cloud) IPaddresses of virtual host computers may be re-configured to translatethe target virtual host computers' public IP addresses to the private IPaddress of the proxy interface of the virtual BITW device.

For example, referring to FIG. 2B, the NAT-G/W 220 may be configured totranslate 174.129.20.63, the public IP address of computer 260, to10.0.1.6, the private IP address of C1 241 instead of 10.0.2.157, theprivate IP address of target computer 260. In effect, the NAT-G/W 220has designated network interface C1 as the proxy for target computer 260(and, as explained above, the virtual BITW's NAM logic may be configuredsimilarly).

Referring to FIG. 3, in Step 3-3, the cloud platform's route tables maybe modified/configured/augmented such that outbound packets traversingthe virtual path between the path's terminals, for example, packetssourced/originated by a terminal virtual computer and destined for anInternet host (or other public network host) via the NAT gateway, may berouted from a terminal virtual computer to the non-proxy networkinterface of the virtual BITW device, and then from the proxy networkinterface of the virtual BITW device to the NAT gateway that interfacesthe private cloud with the public network. Specifically, the routetables may be modified such that: (1) outbound packets leaving thesubnet associated with both the terminal virtual computer and thenon-proxy interface of the virtual BITW device are directed/forwardedtowards the non-proxy interface; and/or (2) outbound packets leaving thesubnet associated with both the proxy interface of the virtual BITW andthe NAT gateway interface are directed/forwarded towards the NAT gatewayinterface.

For example, referring to FIG. 2B, the augmentations to the cloud'sroute tables may include (1) an entry that identifies the NAT-G/W 220'sN2 222 interface, which has IP address 10.0.1.1, as the Internet gatewayfor all outbound packets exiting the subnet 10.0.1.0/24. Note that (1a)this subnet 10.0.1.0/24 includes the C1 241 proxy interface of thevirtual BITW device 240, and that (1b) N2 222 is a terminal of virtualpath 208. Thus, this entry may help enforce the requirements associatedwith traversal of virtual path 208. The augmentations to the cloud'sroute tables may further include (2) an entry in the route table for theC2 242 interface that identifies the C2 242 interface, which has IPaddress 10.0.2.7, as the egress point for all outbound packets exitingthe subnet 10.0.2.0/24. Note that (2a) this subnet 10.0.2.0/24 includesthe target virtual computer 260 (which has IP address 10.0.2.157) andthat (2b) virtual computer 260 is a terminal of virtual path 208. Thus,this entry may also help enforce the requirements associated withtraversal of virtual path 208.

Upon completion of Steps 3-1, 3-2, and 3-3, the virtual BITW device maybe ready for operation in its virtual path; thus in Step 3-4, thevirtual BITW may be transitioned into operation.

Note that the ordering of Steps 3-1, 3-2, and 3-3 and associatedsubsteps is exemplary and may be different in practice. Moreover, any ofthese steps may be combined and/or further subdivided.

Referring to FIG. 4, which represents an example of the virtual BITWdevice's logic architecture as a pipeline, consider next the NAM logiccomponent. The NAM may be inserted between the FPPP's network interfacecontroller (NIC) drivers and the fast path packet processing (FPPP)application logic, where the application may be, for example, networkfirewalling, network access control, web proxy, TLS proxy, packetsecurity gateway, threat intelligence gateway, IPsec gateway, and/or thelike. A purpose of the NAM may be explained in terms of why it may beused in a virtual BITW device but not by a physical BITW device. Forexample, a version of FIG. 4 for a physical BITW device may differ fromFIG. 4 (for the virtual BITW) at least by the NAM logic component.

The NAM component may provide one or more functions. Examples of thesefunctions may include:

NAM Function 1: For the proxy network interface, maps between the proxyIP address and the target virtual computer's IP addresses;

NAM Function 2: Configures the IP and MAC addresses of in-transit L3packets and L2 frames to enforce virtual path traversalpolicies/requirements; and/or

NAM Function 3: Maintains an efficient data structure, which may beindexed by packets' flow characteristics, containing informationassociated with recently observed in-transit frames/packets in order torecover and quickly access routing and forwarding information associatedwith packets in the same flow that may have been lost during proxying.

All three (3) NAM functions listed above result from a desire to assignIP addresses and MAC addresses to the virtual BITW device's networkinterfaces (C1 and C2 in FIG. 4); whereas by definition, a physical BITWdevice's network interfaces are L3- and L2-transparent, and thus thereis no need for a NAM.

Regarding NAM Function 1: Recall from above, for example Step 3-2 ofFIG. 3, that the Internet-Cloud NAT gateway may be configured totranslate the target virtual computer(s)'s public IP address(es) to theIP address of the proxy interface of the virtual BITW device.Accordingly, for example in Step 3-1 of FIG. 3, the NAM logic may beconfigured to translate the proxy interface's IP address to the privateIP address(es) of the target virtual computer(s).

For example, referring also to FIG. 2B, because the interface C1 241 mayproxy for target virtual computer 260, when C1 receives a packet withthe L3 destination IP address set to C1's IP address 10.0.1.6, the NAMlogic may be configured to change the packet's destination IP address totarget computer 260's IP address 10.0.2.157, and then forward the packettowards interface C2 via the fast path through the FPPP applicationlogic. Conversely, when C2 receives a packet with the L3 source IPaddress set to target Computer 260's IP address 10.0.2.157, the packetmay be forwarded via the fast path to the NAM, which may be configuredto change the packet's source IP address to C1's IP address 10.0.1.6. C1may then forward the packet towards its destination. If the packet'sdestination IP address is an Internet (or other public network) address,then the packet may pass through the NAT-G/W 220, which may translatethe packet's L3 source IP address from C1's IP address 10.0.1.6 tocomputer 260's public IP address 174.129.20.63.

Regarding NAM Function 2: The network interfaces of the virtual BITWdevice may be responsible for forwarding packets towards theirdestinations. The forwarding function may be responsible for causing theMAC addresses of the L2 frames containing the L3 packets to be set tothe proper values, for example, the MAC addresses of the terminals ofthe virtual path. These MAC address values may be obtained from thecloud's routing tables via the slow path, i.e., via calls to the OSkernel's TCP/IP networking stack logic; however, for performancereasons, the virtual BITW device may not use the slow path whenprocessing in-transit packets. By configuring the NAM logic with theproper MAC addresses information when configuring the virtual BITWdevice for operations, for example as in Step 3-1 of FIG. 3, then theforwarding function may obtain MAC address information from the (fastpath) NAM instead of the (slow path) OS kernel's TCP/IP networkingstack.

Regarding NAM Function 3: This function may be used for some cloudconfigurations where there are, for example, multiple virtual computersthat may be proxied by another target virtual computer, e.g., a loadbalancer, web proxy, etc., with the associated communications passingthrough the virtual BITW device. For example, suppose there is no NAMFunction 3; then, a request packet that is originated by one of multiplevirtual computers behind a proxying target virtual computer (e.g., aload balancer) and destined for an Internet host may cause the Internet(or other public network) host to create and transmit a response packetthat has the proxying load balancer's IP address as the destination.Upon receiving the response packet, the load balancer may not know whichproxied virtual computer sourced/originated the corresponding request;thus, the load balancer may choose any one of the proxied virtualcomputers to forward the response packet towards; thus, it may be thecase that the chosen proxied virtual computer may not be theoriginator/source of the corresponding request packet.

To handle the above example scenario and others, the NAM may include anefficient data structure that stores/caches information on recentlyobserved L3 packets and associated L2 frames, including the packet's5-tuple values (L3 source and destination IP addresses, L4 source anddestination ports, L3 protocol type), the associated frame's MACaddresses, and/or the direction. This way, the NAM may be able to handlethe example scenario above (and similar scenarios) by recovering the IPaddress and MAC address of the virtual computer that originated thecorresponding request packet and modifying the response packet andassociated frame accordingly such that the response packet is ultimatelyreceived by the proper virtual computer. Note that in keeping withfast-path performance requirements that may be in place, the efficientdata structure, for example an LRU cache, may support efficientinsertions, searches, and/or deletions.

FIG. 5 illustrates an example of a communication between the Internethost HOST-0 110 and the virtual computer 260 in the private cloud thatmay pass through the virtual BITW device 240 in the virtual path 208.The example network elements represented in FIG. 5 correspond to theexample elements and associated configurations represented in FIG. 2B,however the elements in FIG. 5 may correspond to other configurationsdescribed herein. Also assume, for example purposes, that the virtualBITW device 240 has been deployed and configured as per Steps 3-1, 3-2,and 3-3 of FIG. 3 and is in an operational mode represented by Step 3-4of FIG. 3.

As an example, virtual computer 260 may execute a web server applicationwith a DNS-registered domain name www.example-web-server.net, and HOST-0110 (addressed by, for example, public IP address 74.65.150.95) mayexecute a web client/web browser application. A user operating the webbrowser on HOST-0 110 may point the browser to the URLhttps://www.example-web-server.net. In Step 5-0 (not shown in FIG. 5),the browser may issue a query to the (Internet) DNS to resolvewww.example-web-server.net, and the DNS may respond with the IP address174.129.20.63.

In Step 5-1, HOST-0 110 may initiate the establishment of a TCPconnection with port 443 (HTTPS) of 174.129.20.63 (i.e., virtualcomputer 260) by sending an TCP SYN handshake packet P0.0 with L3 sourceIP address 74.65.150.95 and L3 destination IP address 174.129.20.63through the Internet towards virtual computer 260.

In Step 5-2, NAT-G/W 220 may receive packet P0.0. The NAT function maytranslate computer 260's public IP address 174.129.20.63 to 10.0.1.6,which may be the (private) IP address of network interface C1 241 ofvirtual BITW device 240, and which may be the proxy IP address fortarget virtual computer 260. NAT-G/W 220 may transform packet P0.0 toP0.1 as follows: (1) L3 destination IP address changed to 10.0.1.6 (theIP address of proxy network interface C1 241); (2) L2 source MAC addresschanged to 12:f7:4c:ac:de:7f (the MAC address of NAT-G/W 220's networkinterface N2 222); and (3) L2 destination MAC address changed to12:3d:f8:07:f0:19 (the MAC address of virtual BITW device 240's networkinterface C1 241). Network interface N2 222 may send packet P0.1 towardsvirtual BITW device 240's network interface C1 241 on virtual path 208.

In Step 5-3, virtual BITW device 240 may receive packet P0.1 through itsnetwork interface C1 241. As per NAM Function 3 described above, the NAMmay insert information associated with packet P0.1 into its efficientdata structure for storing information associated with recently observedpackets, in case the origin computer information is needed later torecover information that may be lost during the proxy transformations(not illustrated in this example). The NAM may transform packet P0.1 toP0.2 as follows: (1) L3 destination IP address changed to 10.0.2.157(the IP address of virtual Computer 260); (2) L2 source MAC addresschanged to 12:a8:84:40:b6:39 (the MAC address of network interface C2242); and (3) L2 destination MAC address changed to 12:43:9d:b6:7b:f3(the MAC address of virtual computer 260's network interface). The NAMmay forward/pipeline packet P0.2 towards C2 242. The (fast path) packetprocessing application processes packet P0.2. Assuming that theapplication does not drop/block packet P0.2, network interface C2 242may send packet P0.2 towards virtual computer 260 on virtual path 208.

In Step 5-4, target virtual computer 260 may receive packet P0.2.Computer 260 may respond to the TCP SYN handshake signal by creating apacket P1.0 containing a TCP SYN-ACK handshake signal and with: (1) L3source IP address set to 10.0.2.157 (the private IP address of virtualcomputer 260); (2) L3 destination IP address set to 74.65.150.95 (the IPaddress of HOST-0 110); (3) L2 source MAC address set to12:43:9d:b6:7b:f3 (the MAC address of computer 260); and (4) L2destination MAC address set to 12:a8:84:40:b6:39 (the MAC address ofnetwork interface C2 242 of the virtual BITW device 240). Setting packetP1.0's destination MAC address to C2 242's MAC address may help ensurethat packet P1.0 traverses virtual path 208 through the virtual BITWdevice 240, even though P1.0's L3 destination IP address is not the IPaddress of C2 242. Computer 260 may send/forward packet P1.0 towardsHOST-0 110 on virtual path 208.

In Step 5-5, virtual BITW device 240 may receive packet P1.0 through itsnetwork interface C2 242. As per NAM Function 3 described above, the NAMmay insert information associated with packet P1.0 into its efficientdata structure for storing information associated with recently observedpackets, in case the origin computer information is needed later torecover information that may be lost during the proxy transformations(not illustrated in this example). The NAM may transform packet P1.0 toP1.1 as follows: (1) L3 source IP address changed to 10.0.1.6 (the IPaddress of network interface C1 241, which proxies for computer 260);(2) L2 source MAC address changed to 12:3d:f8:07:f0:19 (the MAC addressof network interface C1 241); and (3) L2 destination MAC address changedto 12:f7:4c:ac:de:7f (the MAC address of NAT-G/W 220's network interfaceN2 222). Setting packet P1.1's destination MAC address to N2 222's MACaddress may help ensure that packet P1.1 traverses virtual path 208 tothe NAT-G/W 220, even though P1.1's L3 destination IP address is not theIP address of N2 222. The NAM may forward/pipeline packet P1.1 towardsC1 241. The (fast path) packet processing application processes packetP1.1. Assuming that the application does not drop/block packet P1.1,network interface C1 241 may send/forward packet P1.1 towards HOST-0 110on virtual path 208.

In Step 5-6, NAT-G/W 220 may receive packet P1.1 through its networkinterface N2 222, which is a terminal of virtual path 208. The NAT-G/W220 may transform packet P1.1 to P1.2 as follows: (1) L3 source IPaddress changed to 174.129.20.63 (the public IP address of virtualcomputer 260). Network interface N1 221 sends/forwards packet P.1.2towards HOST-0 110 via the Internet.

In Step 5-7, a TCP connection and TLS tunnel between HOST-0 110 andvirtual Computer 260 (which hosts web site www.example-web-site.net) maybe established, and a (TLS-secured) HTTP session (e.g. HTTPS) may beconducted. Upon completion of the HTTP session, the TLS tunnel and theTCP connection may be torn down. All packets composing thecommunications may traverse the virtual path 208 and transit through thevirtual BITW device 240 in both directions.

Any of the elements described herein or illustrated in any of thefigures may be partially or fully implemented using one or morecomputing devices. Hardware elements of an example computing device 600,which may be used to implement any of the other elements describedherein, are shown in FIG. 6. Any of these hardware elements, and/or thecomputing device 600 itself, may be emulated in a virtual version ofcomputing device 600. Computing device 600 may include one or moreprocessors 601 that may execute computer-readable instructions of acomputer program to perform any of the functions or other operationsdescribed herein. The instructions, along with other data, may be storedin storage 602, which may include, for example, memory such as read-onlymemory (ROM) and/or random access memory (RAM), a hard drive, a magneticor optical disk, a Universal Serial Bus (USB) drive, and/or any othertype of computer-readable media. Computing device 600 may also include auser interface 604 for interfacing with one or more input devices 605such as a keyboard, mouse, voice input, etc., and for interfacing withone or more output device 606 such as a display, speaker, printer, etc.Computing device 600 may also include a network interface 603 forinterfacing with one or more external devices that may be part of anetwork external to computing device 600. Although FIG. 6 shows anexample hardware configuration, one or more of the elements of computingdevice 600 may be implemented as software or a combination of hardwareand software. Modifications may be made to add, remove, combine, divide,etc. components of computing device 600. Additionally, the elementsshown in FIG. 6 may be implemented using basic computing devices andcomponents that have been configured to perform operations such as aredescribed herein. Processor(s) 601 and/or storage 602 may also oralternatively be implemented through one or more Integrated Circuits(ICs). An IC may be, for example, a microprocessor that accessesprogramming instructions or other data stored in a ROM and/or hardwiredinto the IC. For example, an IC may comprise an Application SpecificIntegrated Circuit (ASIC) having gates and/or other logic dedicated tothe calculations and other operations described herein. An IC mayperform some operations based on execution of programming instructionsread from ROM or RAM, with other operations hardwired into gates orother logic.

The functions and steps described herein may be embodied incomputer-usable data or computer-executable instructions, such as in oneor more program modules, executed by one or more computing devices(e.g., computers or other data-processing devices) to perform one ormore functions described herein. Generally, program modules may includeroutines, programs, objects, components, data structures, and/or otherelements that perform particular tasks or implement particular abstractdata types when executed by one or more processors of one or morecomputing devices. The computer-executable instructions may be stored ona computer-readable medium such as a hard disk, optical disk, removablestorage media, solid-state memory, RAM, etc. As will be appreciated, thefunctionality of the program modules may be combined or distributed asdesired. In addition, the functionality may be embodied in whole or inpart in firmware or hardware equivalents, such as integrated circuits,application-specific integrated circuits (ASICs), field-programmablegate arrays (FPGA), and the like. Particular data structures may be usedto more effectively implement one or more aspects of the disclosure, andsuch data structures are contemplated to be within the scope ofcomputer-executable instructions and computer-usable data describedherein.

Although not required, one of ordinary skill in the art will appreciatethat various aspects described herein may be embodied as a method,system, apparatus, or one or more computer-readable media storingcomputer-executable instructions that, when executed by one or moreprocessors of a computing device, cause the computing device to performsteps as disclosed herein. Accordingly, aspects may take the form of anentirely hardware embodiment, an entirely software embodiment, anentirely firmware embodiment, an entirely virtual embodiment, or anembodiment combining software, hardware, virtualized, and/or firmwareaspects in any combination.

As described herein, the various methods and acts may be operativeacross one or more physically separate or integrated computing devices(which together may form a computing device) and networks. Thefunctionality may be distributed in any manner or may be located in asingle physical computing device or virtual version of a computingdevice (e.g., a server, client computer, a user device, a virtualenvironment, or the like).

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one of ordinary skill in the art willappreciate that the steps illustrated in the illustrative figures may beperformed in other than the recited order and that one or moreillustrated steps may be optional.

1. A method comprising: provisioning a device into a virtual path,wherein the virtual path comprises a fast path through the device, andwherein the device is configured to send, via the fast path, at leastone packet received from a network address translation (NAT) gateway;configuring network address mapper (NAM) logic with: addresses of aplurality of virtual path terminals connected via the virtual path; andaddresses of a plurality of network interfaces, wherein each of theplurality of network interfaces corresponds to a different virtual pathterminal of the plurality of virtual path terminals; configuring the NATgateway to translate at least one public Internet Protocol (IP) addressto a private IP address associated with the device; and providing atleast one cloud routing table configured to enforce virtual path routingthrough the device and the NAT gateway.
 2. The method of claim 1,wherein the device comprises a virtual bump-in-the-wire (BITW) device.3. The method of claim 1, wherein the addresses of the plurality ofvirtual path terminals comprises: a plurality of Internet Protocol (IP)addresses of the plurality of virtual path terminals; and a plurality ofmedia access control (MAC) addresses of the plurality of virtual pathterminals.
 4. The method of claim 1, wherein the addresses of theplurality of network interfaces comprises: a plurality of InternetProtocol (IP) addresses of the plurality of network interfaces; and aplurality of media access control (MAC) addresses of the plurality ofnetwork interfaces.
 5. The method of claim 1, wherein the plurality ofnetwork interfaces comprises: a first network interface of the devicecorresponding to a first subnet; and a second network interface of thedevice corresponding to a second subnet, wherein the first subnet andthe second subnet are non-overlapping.
 6. The method of claim 5, whereinthe first subnet is configured to interface with the NAT gateway and thesecond subnet is configured to interface with one or more targets. 7.The method of claim 1, wherein the cloud routing table is configured toenforce outbound virtual path routing through the device and the NATgateway.
 8. The method of claim 1, wherein the configuring the NAM logiccomprises configuring the NAM logic such that each of the plurality ofvirtual path terminals is exclusively mapped to one of the plurality ofnetwork interfaces.
 9. A method comprising: receiving, by a networkaddress translation (NAT) gateway, a packet addressed to a publicInternet Protocol (IP) address; translating, by the NAT gateway, thepublic IP address to a private IP address of a device that isprovisioned into a virtual path, wherein the virtual path comprises afast path through the device, wherein the device is configured to send,via the fast path, at least one packet received from the NAT gateway,and wherein the device comprises network address mapper (NAM) logicconfigured with: addresses of a plurality of virtual path terminalsconnected via the virtual path; and addresses of a plurality of networkinterfaces, wherein each of the plurality of network interfacescorresponds to a different virtual path terminal of the plurality ofvirtual path terminals; and sending by the NAT gateway, the packettowards the private IP address.
 10. The method of claim 9, furthercomprising routing, using at least one cloud routing table, the packetthrough the virtual path via the NAT gateway and the device.
 11. Themethod of claim 9, wherein the device comprises a virtualbump-in-the-wire (BITW) device.
 12. The method of claim 9, wherein theaddresses of the plurality of virtual path terminals comprises: aplurality of Internet Protocol (IP) addresses of the plurality ofvirtual path terminals; and a plurality of media access control (MAC)addresses of the plurality of virtual path terminals.
 13. The method ofclaim 9, wherein the addresses of the plurality of network interfacescomprises: a plurality of Internet Protocol (IP) addresses of theplurality of network interfaces; and a plurality of media access control(MAC) addresses of the plurality of network interfaces.
 14. The methodof claim 9, wherein the plurality of network interfaces comprises: afirst network interface of the device corresponding to a first subnet;and a second network interface of the device corresponding to a secondsubnet, wherein the first subnet and the second subnet arenon-overlapping.
 15. The method of claim 14, wherein the first subnet isconfigured to interface with the NAT gateway and the second subnet isconfigured to interface with one or more targets.
 16. The method ofclaim 9, wherein the NAM logic is configured such that each of theplurality of virtual path terminals is exclusively mapped to one of theplurality of network interfaces.
 17. A network address translation (NAT)gateway comprising: one or more processors; and one or morecomputer-readable media storing instructions that, when executed by theone or more processors, cause the NAT gateway to: receive a packetaddressed to a public Internet Protocol (IP) address; translate thepublic IP address to a private IP address of a device that isprovisioned into a virtual path, wherein the virtual path comprises afast path through the device, wherein the device is configured to send,via the fast path, at least one packet received from the NAT gateway,and wherein the device comprises network address mapper (NAM) logicconfigured with: addresses of a plurality of virtual path terminalsconnected via the virtual path; and addresses of a plurality of networkinterfaces corresponding to subnets of the virtual path terminals,wherein each of the plurality of network interfaces corresponds to adifferent virtual path terminal of the plurality of virtual pathterminals; and send the packet towards the private IP address.
 18. TheNAT gateway of claim 17, wherein the instructions, when executed by theone or more processors, further cause the NAT gateway to enforcerouting, using at least one cloud routing table, of the packet throughthe virtual path via the NAT gateway and the device.
 19. The NAT gatewayof claim 17, wherein the addresses of the plurality of virtual pathterminals comprises: a plurality of Internet Protocol (IP) addresses ofthe plurality of virtual path terminals; and a plurality of media accesscontrol (MAC) addresses of the plurality of virtual path terminals. 20.The NAT gateway of claim 17, wherein the addresses of the plurality ofnetwork interfaces comprises: a plurality of Internet Protocol (IP)addresses of the plurality of network interfaces; and a plurality ofmedia access control (MAC) addresses of the plurality of networkinterfaces.
 21. The NAT gateway of claim 17, wherein the plurality ofnetwork interfaces comprises: a first network interface of the devicecorresponding to a first subnet; and a second network interface of thedevice corresponding to a second subnet, wherein the first subnet andthe second subnet are non-overlapping.
 22. The NAT gateway of claim 17,wherein the NAM logic is configured such that each of the plurality ofvirtual path terminals is exclusively mapped to one of the plurality ofnetwork interfaces.
 23. A system comprising: a network addresstranslation (NAT) gateway comprising: one or more processors; and one ormore computer-readable media storing instructions; and a device that isprovisioned into a virtual path and that has a private Internet Protocol(IP) address, wherein the virtual path comprises a fast path through thedevice, wherein the device is configured to send, via the fast path, atleast one packet received from the NAT gateway, and wherein the devicecomprises network address mapper (NAM) logic configured with: addressesof a plurality of virtual path terminals connected via the virtual path;and addresses of a plurality of network interfaces corresponding tosubnets of the virtual path terminals, wherein each of the plurality ofnetwork interfaces corresponds to a different virtual path terminal ofthe plurality of virtual path terminals, wherein the instructions, whenexecuted by the one or more processors, cause the NAT gateway to:receive a packet addressed to a public IP address; translate the publicIP address to the private IP address of the device; and send the packettowards the private IP address of the device.
 24. The system of claim23, wherein the instructions, when executed by the one or moreprocessors, further cause the NAT gateway to enforce routing, using atleast one cloud routing table, of the packet through the virtual pathvia the NAT gateway and the device.
 25. The system of claim 23, whereinthe device comprises a virtual bump-in-the-wire (BITW) device.
 26. Thesystem of claim 23, wherein the addresses of the plurality of virtualpath terminals comprises: a plurality of Internet Protocol (IP)addresses of the plurality of virtual path terminals; and a plurality ofmedia access control (MAC) addresses of the plurality of virtual pathterminals.
 27. The system of claim 23, wherein the addresses of theplurality of network interfaces comprises: a plurality of InternetProtocol (IP) addresses of the plurality of network interfaces; and aplurality of media access control (MAC) addresses of the plurality ofnetwork interfaces.
 28. The system of claim 23, wherein the plurality ofnetwork interfaces comprises: a first network interface of the devicecorresponding to a first subnet; and a second network interface of thedevice corresponding to a second subnet, wherein the first subnet andthe second subnet are non-overlapping.
 29. The system of claim 28,wherein the first subnet is configured to interface with the NAT gatewayand the second subnet is configured to interface with one or moretargets.
 30. The system of claim 23, wherein the NAM logic is configuredsuch that each of the plurality of virtual path terminals is exclusivelymapped to one of the plurality of network interfaces.